config-linux: Deprecate device access denial

Werkov · Werkov · commit ced0f1744d6c · 2023-07-12T20:29:18.000+02:00
Separate allow/deny lists are specific to device controller existing
only in cgroup v1. Current semantics for devices that don't match
neither allow nor deny is confusing.

cgroup v2 implements access control on the default hierarchy with BPF
hooks. Follow the approach of systemd (refer to systemd.resource(5))
with DevicePolicy=strict, i.e. consider all devices denied by default
and add only entries for devices that should be allowed.

This will simplify the job for runtimes that use systemd for container
cgroup configuration.

For starters, mention that "allow" entries that don't stick to the this
approach are deprecated. Next step would be removal of the "allow"
attribute and implicit denial on all devices.
diff --git a/config-linux.md b/config-linux.md
@@ -304,7 +304,8 @@ The runtime MUST apply entries in the listed order.
 
 Each entry has the following structure:
 
-* **`allow`** *(boolean, REQUIRED)* - whether the entry is allowed or denied.
+* **`allow`** *(boolean, OPTIONAL, **DEPRECATED**)* - whether the entry is allowed or denied.
+    Value of `false` is deprecated if `major,minor` is specified. Missing entry is interpretted as `true` -- relying on default denial for all devices.
 * **`type`** *(string, OPTIONAL)* - type of device: `a` (all), `c` (char), or `b` (block).
     Unset values mean "all", mapping to `a`.
 * **`major, minor`** *(int64, OPTIONAL)* - [major, minor numbers][devices] for the device.
